GitLab Product Security Update Advisory
Overview
An update has been released to address vulnerabilities in our GitLab products. Users of affected versions are advised to update to the latest version.
Affected Products
CVE-2023-6371
- All versions of GitLab CE/EE prior to 16.8.5
- All 16.9.x versions of GitLab CE/EE prior to 16.9.3
- All 16.10.x versions of GitLab CE/EE prior to 16.10.1
CVE-2024-2279
- GitLab CE/EE versions: 16.7 (inclusive) to 16.8.6 (excluded)
- All 16.9.x versions of GitLab CE/EE prior to 16.9.4
- All 16.10.x versions of GitLab CE/EE prior to 16.10.2
CVE-2024-2829
- GitLab CE/EE versions: 12.5 (inclusive) to 16.9.6 (excluded)
- All 16.10.x versions of GitLab CE/EE prior to 16.10.4
- All 16.11.x versions of GitLab CE/EE prior to 16.11.1
CVE-2024-4835
- GitLab CE/EE versions: 15.11 (inclusive) to 16.10.6 (excluded)
- All 16.11.x versions of GitLab CE/EE prior to 16.11.3
- All 17.0.x versions of GitLab CE/EE prior to 17.0.1
CVE-2024-2434
- All 16.9.x versions of GitLab CE/EE prior to 16.9.6
- All 16.10.x versions of GitLab CE/EE prior to 16.10.4
- All 16.11.x versions of GitLab CE/EE prior to 16.11.1
CVE-2024-3092
- All 16.9.x versions of GitLab CE/EE prior to 16.9.4
- All 16.10.x versions of GitLab CE/EE prior to 16.10.2
CVE-2024-4024
- GitLab CE/EE versions: 7.8 (inclusive) to 16.9.6 (excluded)
- All 16.10.x versions of GitLab CE/EE prior to 16.10.4
- All 16.11.x versions of GitLab CE/EE prior to 16.11.1
Resolved Vulnerabilities
Stored XSS vulnerability in wiki pages via the Banzai pipeline in GitLab CE/EE (CVE-2023-6371)
Stored XSS vulnerability inGitLab CE/EE via autocomplete results (CVE-2024-2279)
ReDoS vulnerability due to unauthentication in FileFinder when using a wildcard filter in project file search in GitLab CE/EE (CVE-2024-2829)
One-click account takeover vulnerability via XSS leveraging VS Code Editor (Web IDE) in GitLab CE/EE (CVE-2024-4835)
Path traversal vulnerability in GitLab CE/EE allows DoS and file read restriction vulnerability (CVE-2024-2434)
Stored XSS injected in the diff viewer in GitLab CE/EE (CVE-2024-3092)
GitLab account takeover vulnerability under certain conditions when using Bitbucket as an OAuth provider in GitLab CE/EE (CVE-2024-4024)
Vulnerability Patches
Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2023-6371
- GitLab CE/EE versions 16.8.5, 16.9.3, 16.10.1
Cve-2024-2279, cve-2024-3092
- GitLab CE/EE versions 16.8.6, 16.9.4, 16.10.2
Cve-2024-2829, cve-2024-2434, cve-2024-4024
- GitLab CE/EE 16.9.6, 16.10.4, 16.11.1 versions
CVE-2024-4835
- GitLab CE/EE versions 16.10.6, 16.11.3, and 17.0.1
Referenced Sites
[1] CVE-2023-6371 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-6371
[2] GitLab Security Release: 16.10.1, 16.9.3, 16.8.5
https://about.gitlab.com/releases/2024/03/27/security-release-gitlab-16-10-1-released/
[3] CVE-2024-2279 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-2279
[4] GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6
https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/
[5] CVE-2024-2829 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-2829
[6] GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/
[7] CVE-2024-4835 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-4835
[8] GitLab Patch Release: 17.0.1, 16.11.3, 16.10.6
https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/
[9] CVE-2024-2434 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-2434
[10] CVE-2024-3092 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-3092
[11] CVE-2024-4024 Detail